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1* Introduction 

The following is an example of the constructive specification of a queue which is done in the style of 
[Jones 80] using the Vienna Development Method. The basic approach is that of data type refinement. 
While the techniques we used are not restricted to those used by Jones, particularly with respect to the 
method for proving properties of the retrieve function for linked lists, the notation is consistent with his. 


2. The specification of a Queue 


2.1. States and types for the Queue operations 
Queue = Element-list 
INIT 

states : Queue 

ENQUEUE 
states : Queue 
type : Element — > 

DEQUEUE 
states : Queue 
type : — > Element 

EMPTY 
states : Queue 
type : — > Boolean 


2.2. Pre— and post-conditions for the Queue operations 

post-INIT^q’) = q’ = <>. 

post-ENQUEUE(q,e,q’) = q’ = q || <e>. 

pre-DEQUEUE(q) = q ^ < >. 
post-DEQUEUE(q,e,q*) = q’ = tl(q) and e = hd(q). 


post-EMPTY(q,q’,b) = q = q’ and (b < = > q = <>). 


3* A Data Refinement of a Queue in Terms of Linked Lists 


3.1. A queue as a linked list 

Queuel = [node]; 
node = record 

E : Element; 

PTR : Queuel 
end; 

l 

3.2. The retrieve function 

The retrieve function is a function which maps the linked list representation of a queue into a list 
representation. 

retr : Queuel — > Queue 

retr(ql) = if ql = NIL then < > 

else(<ql.E> [j retr(ql.PTR)). 

The data type invariant for Queue and Queuel is TRUE. 


3.3. Queuel models Queue 

In order to show that Queuel models Queue the retrieve function must map all of Queuel into 
Queue and every member of Queue must be the value of some member of Queuel under the retrieve map- 
ping. These two conditions are stated more precisely as rules aa and ab in [Jones 80, p.187]. In addition 
to rules aa and ab, the pre- and post-conditions for the operations for Queuel must imply the pre- and 
post-conditions for the corresponding operations for Queue for members of Queuel mapped back to Queue 
by the retrieve function. These conditions are precisely stated as rules da and ra [Jones 80, p.187]. 


3.3.1. Rules aa and ab are satisfied by the retrieve function 

aa. (V ql £ Queuel)(3 q £ Queue such that q = retr(ql)). 

Proof. We use structural induction on Queuel. Suppose ql = NIL. Then retr(ql) = < > and < > £ 
Queue. 

Suppose ql £ Queuel and ql ^ NIL. Then retr(ql) = <ql.E> ]] retr(ql.PTR). By the induction 
hypothesis there exists q 5 £ Queue such that q’ = retr(ql.PTR). Let q = <ql.E> || q\ Clearly, q £ 
Queue and q = retr(ql). 

ab. (V q £ Queue)(3 ql £ Queuel such that q = retr(ql)). 

Proof. We use structural induction on Queue. Suppose that q = < >. If ql = NIL then by the definition 
of the retrieve function retr(ql) = q. 

Let q £ Queue and suppose that q ^ NIL. It follows that q = hd(q) ]] tl(q) where tl(q) £ Queue. By 
the induction hypothesis, there exists ql’ £ Queuel such that retr(ql’) = tl(q). Define ql £ Queuel as fol- 
lows: 


ql.E = hd(q) and ql.PTR = ql\ 


Then retr(ql) = q. 


3.3.2. Specification of the operations on Queuel 

To specify the operations on Queuel in terms of pre- and post- conditions we need an extension of 
some of the notions introduced by Jones [Jones 80, chapter 9] for lists to linked lists. The queue opera- 
tions of initialization, enqueue, and empty are straightforward to implement in terms of linked lists. A 
difficulty occurs in the post-condition for the enqueue operation for a queue implemented on linked lists. 
If we choose to introduce a new argument, say, tail to describe the element appended at the end of a 
queue, then tail must be expressed in terms of the new queue. This is because of the form of the post- 
condition for the enqueue operation at the previous level of abstraction (in terms of lists) is in terms of the 
new queue which is obtained from the old one by concatenation of a list of a single element to the end of 
the old queue. 

This can be done by the following: 

tail = <hd(rev(ql))> for ql £ Queuel 

and properly extended notions of hd, rev (the reverse order on lists), and < > to linked lists. If the post- 
condition for the enqueue operation is stated in terms of tail, it is very awkward to verify rule ra for this 
operation because the post-condition for the enqueue operation on lists is stated in terms of queues of lists, 
not "tail ends" of queues. This approach then seems to require a backtracking in the post-condition for 
the enqueue operation in terms of lists using the notion of tail. 

We use another approach, which is to extend the notions used for lists in the post-condition for the 
enqueue operation of a queue implemented in terms of lists to corresponding notions for linked lists. This 
has the advantage of making the post-condition for the enqueue operation in terms of linked lists very 
similar in form to the post-condition for enqueue for queues of lists. This also makes makes rule ra rea- 
sonably straightforward to check. 


3.3.3. Extension of the theory of lists to linked lists 

We define the notions of head, tail, and concatenation for linked lists. By an abuse of notation, we 
use the same names for these notions which are defined for lists [Jones 80, chapter 9]. 

Let llist, llistl, llist2 be linked lists. Denote by hd the head of a linked list. It is defined as follows: 
hd(llist) = llist. E. 

The tail of a linked list is denoted by tl. The definition is: 
tl(llist) = llist.PTR. 

The length of a linked list is denoted by len. The definition is: 

len(llist) = if llist = NIL then 0 
else 1 + len(tl(llist)). 

The index operator extended to linked lists is given by: 
llist(i) = if i = 1 then hd(llist) 


else tl(llist)(i - 1). 

The concatenation operator extended to linked lists is given by: 


llistl J] llist2 = the unique linked list such that: 
(V i G {l,...,len(llistl)} (llist(i) = llistl(i))) and 
(V i G {lj—flen(llist2)} (llist(i + len(llistl)) = llist2(i)). 

We observe that Hist j| NIL = NIL ]] llist = llist. 


3.3.4. The retrieve function has an inverse 

To define <hd(llist)> where llist is a linked list, we need the inverse of the retrieve function. We 
observe that the retrieve function, retr, has a natural extension from Queuel to Listl, the collection of all 
linked lists, by defining retrieve as follows : 

retr : Listl — > List 

retr(ll) = if 11 = NIL then < > 

else (<11.E> \\ retr(ll.PTR). 

The next lemma proves that retr is 1 to 1 and therefore, the inverse exists. 

Lemma. Let 11, 12 in Listl and assume that retr(ll) = retr(12). Then 11 = 12. 

Proof. The proof is by structural induction. Suppose 11 — NIL and 12 ^ NIL. Then retr(ll) = < > but 
retr(12) = <12.E> ]| retr(12.PTR). This contradicts the assumption that retr(ll) = retr(12). 

Next, let 11 NIL and retr(ll) = retr(12) for some 12 in Listl. Furthermore, suppose that for each 
linked sublist IP of 11, if retr(lP) = retr(12’), where 12’ is a linked sublist of 12, then 11’ = 12\ We note 
that 12 ^ NIL since 12 = NIL implies that retr(12) = <>, in which case retr(12) ^ retr(ll). Therefore 
retr(12) = <12.E> jj retr(12.PTR). We also have retr(U) = <11.E> |J retr(U.PTR). Since ret(U) = 
ret(12), <ll.E> = <12.E> and retr(ll.PTR) = retr(12.PTR). By the induction hypothesis, ll.PTR = 
12.PTR. We conclude that 11 = 12. 

We observe that the rules aa and ab hold when applied to linked lists. The proofs carry over by 
replacing queues implemented in terms of lists and linked lists by arbitrary lists and linked lists. Thus, 
the function retr is a 1 to 1 mapping onto the set of lists, List. 

Let 1 in List. There exists a unique 11 in Listl, by rule ab, such that retr(ll) = 1. Define invretr as: 
invretr(l) = 11. 

This definition can be restricted in a natural way to hold only for queues implemented in terms of lists and 
linked lists. 

We are now in a position to extend the list notation to linked lists. Let 11 in Listl. Then there exists 
(a unique) 1 in List such that retr(ll) = 1. Assume furthermore that 11 ^ NIL and that 11 .E = e. We 
define the linked list formed from the element 11. E as follows: 

<11.E> = invretr(<hd(l)>). 

In particular, < hd(ll) > = invretr(<hd(l)> ). Notice that the list in the term on the left is a linked list, 
while the list in the term on the right hand side of the equivalence is not a linked list. 


3.3*5. States and types for the Queuel operations 


Queuel = [node]; 
node = record 

E : Element; 
PTR : Queuel 
end; 


INIT1 

states : Queuel 

ENQUEUEl 
states : Queuel 
type : Element — > 

DEQUEUEl 
states : Queuel 
type : — > Element 

EMPTY1 
states : Queuel 
type : — > Boolean 


3.3.6. Pre- and post-conditions for the Queuel operations 
post-INITl (ql ,ql *) = ql’ = NIL. 
post-ENQUEUE^qljql^e) s ql* = ql jj <e>. 
pre-DEQUEUEl(ql) = ql ^ NIL. 

post-DEQUEUEl(ql,ql’,res) = ql’ = ql.PTR and res = ql.E. 
post-EMPTYl(ql,ql’,b) = ql’ = ql and (b <== > ql = NIL). 


3.3.7. The retrieve function is an isomorphism 

Lemma. Let <e>, 11 £ Listl and suppose that len(ll) = n for some integer n > 0. Then (11 ]j 
<e>).PTR = 11* |] <e> where 11 £ Listl and len(ll) = n - 1. 

Proof. Suppose n = 1. Then 11 = <el> for some el £ Element. We have (11 jj <e>).PTR = (<el> jj 
<e>).PTR = <e> — NIL jj <e>. NIL £ Listl and len(NIL) = 0. 

Let len(ll) = n. Then 11 = <el, e2, ..., en> where ei £ Element for i = 1, 2, ..., n and the ei’s are 
not necessarily distinct. We have 

(11 jj <e>).PTR = (<el, e2, ..., en> jj <e>).PTR 
= <el, e2, ..., en, e>.PTR 
= <e2, ..., en, e> 

= <e2, ..., en> jj <e>. 

Let 11’ = <e2, en>. We observe that 11* £ Listl and len^l’) = n - 1. 


Lemma. Let <e>, 11 £ Listl. Then retr(ll ]] <e>) = retr(ll) !! < e > • 

Proof. We use induction on len(ll). Suppose that len(ll) = 0. Then 11 = NIL. It follows that retr(ll [j 
<e>) = retr( < > jj <e>) = retr(<e>) = < > j] <e> = retr(ll) [[ <e>. 

Assume that the lemma holds V IP £ Listl for which len(ll’) < n for some integer n > 0. Let 11 £ 
Listl and suppose that len(ll) = n and let 11. E = e\ We have 

retr(ll jj <e>) = retr(<(ll || <e>).E> ]] retr((ll [] <e>).PTR). 

We note that ll.E = (11 ]| <e>).E so that 

retr(ll j| <e>) = <e’> Jj retr((ll jj <e>).PTR). 

We can rewrite (11 jj <e>).PTR as 11’ jj <e> where len(ll’) < n from the previous lemma. By the 
induction hypothesis, 

retr((ll jj <e>).PTR) = retr(ll’ jj <e>) == retr(ll’) Jj <e>. 

It follows that 

retr(ll jj <e>) = <e’> jj (retr(ll’) jj <e>). 

But from the definition of the retrieve function 
retr(ll) = < hd(ll) > Jj retr(ll.PTR). 

Therefore, retr(ll jj <e>) = retr(ll) jj <e>. 


Theorem. V 11, 12 £ Listl, retr(ll j] 12) = retr(ll) jj retr(12), that is, the retrieve function is an isomor- 
phism from the set of linked lists to the set of lists. 

Proof. We use induction on len(12). When len(12) = 0 we have 
retr(ll jj 12) = retr(ll jj < >) = retr(ll). 

In List we have 

retr(ll) jj retr(12) = retr(ll) j] <> — retr(ll). 

Assume that retr(ll jj 12’) = retr(ll) jj retr(12’) for 12’ £ Listl for which len(l2’) < n for some positive 
integer n. Suppose that len(12) == n. Then 

retr(ll) jj retr(12) = retr(ll) jj (<hd(12)> jj retr(tl(12))) 

= (retr(ll) jj <hd(12)>) jj retr(tl(12)). 

By the induction hypothesis and the previous lemma, 


(retr(ll) [[ <hd(12)>) jj retr(tl(12) = retr(ll [[ hd(12)) jj retr(tl(12)). 


Since len(12) — n, len(tl(12)) = n - 1 so that we can use the induction hypothesis with 12’ = tl(12). It 



follows that 


retr(ll jj <hd(l2)>) || retr(tl(12)) = retr((ll j[ <hd(12)>) J| tl(12)) 

= retr(ll |j (<hd(12)> jj tl(12))) 

= retr(ll \\ 12). 


3.3.8. The operations on Queuel model the operations on Queue 

The next step is to show that each of the new operations on Queuel : INITl, ENQUEUEl, 
DEQUEUE1, and EMPTYl correspond to the operations INIT, ENQUEUE, DEQUEUE, and EMPTY on 
Queue. For each of the operations on Queuel we must show that both da and ra [Jones 80] hold, where da 
and ra are : 

da. (V ql G Queuel)(pre-OP(retr(ql),args) => pre-OPl(ql,args)). 

ra. (V ql G Queuel)(pre-OPl(ql,args) and post-OPl(ql,args,ql , ,r es ) => post- 

OP(retr(ql),args,retr(ql’),res)). 

da. (V ql G Queuel)(pre-INIT(retr(ql),args) => pre-INITl(ql,args)). 

Proof. The proof is immediate since pre-INIT and pre-INITl are both TRUE. 

ra. (V ql G Queuel)(pre-INITl(ql,args) and post-INITl(ql,args,ql J ,r es ) — ^ post— 

INIT(retr(ql),args,retr(ql > ),res)). 

Proof. Since ql* = NIL we know that retr(ql’) = < >. 

da. (V ql G Queuel)(pre-ENQUEUE(retr(ql),args) => pre-ENQUEUEl(ql,args)). 

Proof. This follows immediately since the pre-conditions for ENQUEUE and ENQUEUEl are both 
TRUE. 

ra. (V ql G Queuel)(pre-ENQUEUEl(ql,args) and post-ENQUEUEl(ql,args,ql’,res) => post- 

ENQUEUE(retr(ql),args,retr(ql’),res)). 

Proof. We have ql’ = ql [] <e> and retr(ql’) = retr(ql ]] <e>). By the lemma of 2.3.7, retr(ql’) = 
retr(ql) !! CO- 

da. (V ql £ Queuel)(pre-DEQUEUEl(retr(ql),args) => pre-DEQUEUE(ql,args)). 

Proof. Since retr(ql) ?£ <>, ql ^ NIL. 

ra. (V ql € Queuel)(pre-DEQUEUEl(ql,args) and post-DEQUEUEl(ql,args,ql’ ,res) = > post- 

DEQUEUE(retr(ql),args,retr(ql , ),res). 

Proof. We have ql ^ NIL and ql* = ql.PTR and res = ql.E. From the definition of the retrieve func- 
tion, retr(ql) = <ql.E> ]] retr(ql.PTR). Then retr(ql’) = retr(ql.PTR) = tl(retr(ql)). Finally, res = 

ql. E = hd(retr(ql)). 

da. (V ql G Queuel)(pre-EMPTY(retr(ql),args) => pre-EMPTYl(ql,args)). 


Proof. This is immediate since the pre-conditions are both TRUE. 


ra. (V ql £ Queuel)(pre-EMPTYl(ql,args) and post-EMPTYl(ql,args,ql’,res) => post- 
EMPTY(retr(ql),args,retr(ql , ),res)). 

Proof. We have ql = ql’ and (b < = > ql = NIL). Since ql = ql*, retr(ql) = retr(ql’). But ql = NIL 
implies that retr(ql) = <>. Therefore, b => ql = NIL => retr(ql) = <>. Next, suppose that 
retr(ql) = < >. Since retr is 1 to 1, ql = NIL => b. Therefore, b < = > (retr(ql) = < >). 


4. The Realization of the Queue Object in Pascal 

To realize the queue object in Pascal we need a refinement which maps the queue-like structure into 
a representation of the queue in terms of pointers and variables on the Pascal "heap”. 

Queuerep :: Heap: Ptr — > Noderep 

where Noderep :: ELT : Element 
PTER: "[Ptr]. 

A further refinement is necessary to go from the queue representation to an implementation of a 
queue in Pascal. 

program queue; 
type 

qptr = *qrec; 
qrec = record 
qdata : char; 
qnext : qptr 
end; (* qrec *) 

var 

head : qptr; 
tail : qptr; 

function empty : boolean; 
begin 

empty := (head = nil) 
end; (* empty *) 

procedure init; 
begin 

head := nil; 
tail := nil 
end; (* init *) 

procedure enqueue(arrive : qptr); 
begin 

if arrive < > nil then 
arrive ''.qnext := nil; 
if empty then 
head := arrive 
else tair.nextq := arrive; 
tail := arrive 
end; (* enqueue *) 

function dequeue(var head, tail : qtr) : char; 
begin 

if head < > nil then 


begin 

dequeue := head*. data; 
head := head*.nextq; 
if head = nil then 
tail := nil 

end 

end; (* dequeue *) 
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